| 6316 |
2024-01-13 19:46
|
 InstallSetup2.exe 026dc7c174870bd1ccf25a3c58d69440
Emotet Gen1 TA551 BazarLoader NSIS Generic Malware Malicious Library UPX Malicious Packer Antivirus Admin Tool (Sysinternals etc ...) Anti_VM PE32 PE File DLL PE64 DllRegisterServer dll PNG Format OS Processor Check .NET DLL CAB MZP Format ZIP Format JPE Browser Info Stealer VirusTotal Malware Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk WriteConsoleW IP Check VM Disk Size Check Ransomware Windows Browser DNS |
2
http://185.172.128.53/syncUpd.exe - rule_id: 38939
http://api.ipify.org/?format=C:\Users\test22\AppData\Local\Temp\nsvC436.tmp
|
4
api.ipify.org(104.237.62.212)
173.231.16.76
91.92.255.226
185.172.128.53 - malware
|
6
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY External IP Lookup (ipify .org)
|
1
http://185.172.128.53/syncUpd.exe
|
10.6 |
M |
48 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6317 |
2024-01-13 19:42
|
 Invoke-Shellcode.ps1 8d110271ce2244b30d00daa63a0bde62
Generic Malware Antivirus unpack itself |
|
|
|
|
0.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6318 |
2024-01-13 19:40
|
 hhh.hta 6be3e8b51f47ae0b17f18c2978170c07
Generic Malware Antivirus AntiDebug AntiVM PowerShell Malware powershell suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger Creates shortcut RWX flags setting unpack itself Windows utilities Check virtual network interfaces suspicious process WriteConsoleW Windows ComputerName DNS Cryptographic key |
1
http://139.99.114.151/file/Explorer.exe
|
1
139.99.114.151 - mailcious
|
2
ET INFO Executable Download from dotted-quad Host
ET HUNTING Suspicious explorer.exe in URI
|
|
10.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6319 |
2024-01-13 19:37
|
 shell.dll 470e404c0132733c3df4895672dbd282
Malicious Library UPX PE File DLL PE64 OS Processor Check Check memory Checks debugger buffers extracted unpack itself Windows Cryptographic key crashed |
|
|
|
|
2.0 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6320 |
2024-01-13 19:33
|
 amsi.ps1 11a2c5a1096a4b63edcd96e578b1138d
Hide_EXE Generic Malware Antivirus VirusTotal Malware unpack itself |
|
|
|
|
1.2 |
M |
27 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6321 |
2024-01-13 19:31
|
 newrock2.exe 20dc7abde7dbae943356eb9bd311e9c0
NPKI HermeticWiper Generic Malware Suspicious_Script NSIS Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM Javascript_Blob PE32 PE File .NET EXE PNG Format JPEG Format OS Processor Check ZIP Format MZP Format PE6 Malware AutoRuns MachineGuid Malicious Traffic Check memory Checks debugger Creates executable files unpack itself Windows utilities Check virtual network interfaces suspicious process AppData folder AntiVM_Disk WriteConsoleW VM Disk Size Check Tofsee Ransomware Windows ComputerName DNS |
3
http://apps.identrust.com/roots/dstrootcax3.p7c
http://185.172.128.53/syncUpd.exe - rule_id: 38939
http://185.172.128.90/cpa/ping.php?substr=seven&s=ab
|
5
i.alie3ksgaa.com(154.92.15.189) - mailcious
154.92.15.189 - mailcious
23.67.53.17
185.172.128.90
185.172.128.53 - malware
|
6
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://185.172.128.53/syncUpd.exe
|
10.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6322 |
2024-01-13 19:29
|
 teamviewer.exe fab9a49f34ba2e67cdbb4fe8e00fbd57
Malicious Library UPX PE32 PE File OS Processor Check |
|
|
|
|
|
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6323 |
2024-01-13 19:27
|
 twoo.exe 013dd34c1d52ad6a86419657437e247a
Client SW User Data Stealer LokiBot ftp Client info stealer Admin Tool (Sysinternals etc ...) .NET framework(MSIL) Malicious Library UPX Http API PWS Code injection AntiDebug AntiVM PE32 PE File MSOffice File .NET EXE DLL OS Processor Check Malware Telegram Buffer PE PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself AppData folder malicious URLs Tofsee Windows ComputerName DNS Cryptographic key crashed |
2
https://steamcommunity.com/profiles/76561199601319247
https://t.me/bg3goty
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious
149.154.167.99 - mailcious
104.76.78.101 - mailcious
65.109.241.139
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
11.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6324 |
2024-01-13 19:27
|
 1.exe 61266f99271cd5605d384c2953ac4fbf
Admin Tool (Sysinternals etc ...) .NET framework(MSIL) Malicious Library UPX Socket ScreenShot Steal credential DNS Code injection AntiDebug AntiVM PE32 PE File MSOffice File .NET EXE DLL OS Processor Check Buffer PE PDB Code Injection Check memory Checks debugger buffers extracted Creates executable files unpack itself Detects VirtualBox AppData folder malicious URLs Windows ComputerName DNS Cryptographic key |
|
1
154.92.15.189 - mailcious
|
|
|
9.6 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6325 |
2024-01-13 19:26
|
 InstallSetup10.exe d5610fe6893c1bb0df7b32471f878839
NSIS Generic Malware Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM PE32 PE File PNG Format OS Processor Check MZP Format ZIP Format JPEG Format BMP Format CHM Format DLL icon PE64 CAB MSOffice File Word 2007 f Malware Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk IP Check VM Disk Size Check Tofsee Ransomware Windows DNS |
3
http://185.172.128.53/syncUpd.exe - rule_id: 38939
http://api.ipify.org/?format=fgf
https://iplogger.com/1zteH4
|
6
api.ipify.org(173.231.16.76)
iplogger.com(104.21.76.57) - mailcious
173.231.16.76
104.21.76.57
91.92.255.226
185.172.128.53 - malware
|
10
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET POLICY External IP Lookup (ipify .org)
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET INFO External IP Lookup Domain (iplogger .com in DNS lookup)
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET INFO External IP Lookup Domain (iplogger .com in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
|
1
http://185.172.128.53/syncUpd.exe
|
8.8 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6326 |
2024-01-13 19:23
|
 InstallSetup7.exe e2ebe1a39955919490d77003ebd1e24a
NPKI HermeticWiper NSIS Generic Malware Suspicious_Script Malicious Library UPX Antivirus Admin Tool (Sysinternals etc ...) Malicious Packer Anti_VM Javascript_Blob PE32 PE File PNG Format JPEG Format OS Processor Check MZP Format ZIP Format icon BMP For VirusTotal Malware Malicious Traffic Check memory Creates executable files unpack itself AppData folder AntiVM_Disk IP Check VM Disk Size Check Ransomware Windows DNS |
2
http://185.172.128.53/syncUpd.exe - rule_id: 38939
http://api.ipify.org/?format=ewf
|
4
api.ipify.org(173.231.16.76)
104.237.62.212
91.92.255.226
185.172.128.53 - malware
|
7
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
ET INFO Executable Download from dotted-quad Host
ET INFO Packed Executable Download
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY External IP Lookup (ipify .org)
|
1
http://185.172.128.53/syncUpd.exe
|
9.4 |
M |
47 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6327 |
2024-01-13 19:22
|
 she.exe 9c1dc78462bfce4ded92e18ce7e15d9b
Generic Malware Malicious Library UPX Antivirus PE File PE64 OS Processor Check PowerShell powershell suspicious privilege MachineGuid Check memory Checks debugger Creates shortcut unpack itself suspicious process Windows ComputerName DNS Cryptographic key |
|
1
|
|
|
6.4 |
M |
|
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6328 |
2024-01-13 19:20
|
updationavailableforentierospr... 8f65da99c939a67fd8065dd8890374ab
MS_RTF_Obfuscation_Objects RTF File doc VirusTotal Malware VBScript Malicious Traffic buffers extracted exploit crash unpack itself Tofsee Exploit DNS crashed |
2
https://paste.ee/d/DjEFv
http://107.175.113.207/277/BrowserUpdate.vbs
|
5
paste.ee(104.21.84.67) - mailcious
wallpapercave.com(172.67.29.26) - malware
104.22.53.71
104.21.84.67 - malware
107.175.113.207 - malware
|
3
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO Dotted Quad Host VBS Request
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
|
|
4.6 |
M |
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6329 |
2024-01-13 19:18
|
 one.exe bd94daa7872d164c29dcdf71a89b4771
Client SW User Data Stealer LokiBot ftp Client info stealer Admin Tool (Sysinternals etc ...) .NET framework(MSIL) Malicious Library UPX Http API PWS Code injection AntiDebug AntiVM PE32 PE File MSOffice File .NET EXE DLL OS Processor Check VirusTotal Malware Telegram Buffer PE PDB MachineGuid Code Injection Malicious Traffic Check memory Checks debugger buffers extracted WMI Creates executable files unpack itself AppData folder malicious URLs Tofsee Windows ComputerName DNS Cryptographic key crashed |
2
https://steamcommunity.com/profiles/76561199601319247
https://t.me/bg3goty
|
5
t.me(149.154.167.99) - mailcious
steamcommunity.com(104.76.78.101) - mailcious
149.154.167.99 - mailcious
104.76.78.101 - mailcious
65.109.241.139
|
3
ET INFO Observed Telegram Domain (t .me in TLS SNI)
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET INFO TLS Handshake Failure
|
|
12.6 |
|
37 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6330 |
2024-01-13 19:14
|
 red.exe 3c78cef4203a47012167be0877274540
RedlineStealer RedLine Infostealer RedLine stealer .NET framework(MSIL) UPX Malicious Library Malicious Packer Antivirus PE32 PE File .NET EXE OS Processor Check Browser Info Stealer RedLine Malware download FTP Client Info Stealer VirusTotal Malware suspicious privilege Malicious Traffic Check memory Checks debugger buffers extracted Creates executable files unpack itself Collect installed applications Check virtual network interfaces AppData folder installed browsers check Tofsee Stealer Windows Browser ComputerName DNS Cryptographic key Software crashed |
3
http://91.92.255.187:1334/
https://api.ip.sb/geoip
http://91.92.255.187/venom.exe
|
4
api.ip.sb(104.26.13.31)
23.67.53.27
104.26.13.31
91.92.255.187 - mailcious
|
9
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET MALWARE RedLine Stealer - CheckConnect Response
ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound
ET MALWARE Redline Stealer Family Activity (Response)
SURICATA HTTP unable to match response to request
ET INFO Executable Download from dotted-quad Host
ET POLICY PE EXE or DLL Windows file download HTTP
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
9.2 |
M |
58 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|